Between You, Me, and Google: Problems With Gmail's “Confidential Mode”

With Gmail’s new designrolled out to more and more users, many have had a chance to try out its new “Confidential Mode.” While many of its features sound promising, what “Confidential Mode” provides isn’t confidentiality. At best, the new mode might create expectations that it fails to meet around security and privacy in Gmail. We fear that Confidential Mode will make it less likely for users to find and use other, more secure communication alternatives. And at worst, Confidential Mode will push users further into Google’s own walled garden while giving them what we believe are misleading assurances of privacy and security.

With its new Confidential Mode, Google purports to allow you to restrict how the emails you send can be viewed and shared: the recipient of your Confidential Mode email will not be able to forward or print it. You can also set an “expiration date” at which time the email will be deleted from your recipient’s inbox, and even require a text message code as an added layer of security before the email can be viewed.

Unfortunately, each of these “security” features comes with serious security problems for users.

DRM for Email

It’s important to note at the outset that because Confidential Mode emails are notend-to-end encrypted, Google can see the contents of your messages and has the technical capability to store them indefinitely, regardless of any “expiration date” you set. In other words, Confidential Mode provides zero confidentiality with regard to Google.

Here’s how IRM works: companies make a locked-down version of a product that checks documents for flags like “don’t allow printing” or “don’t allow forwarding” and, if it finds these flags, the program disables the corresponding features. To prevent rivals from making their own interoperable products that might simply ignore these restrictions, the program encrypts the user’s documents, and hides the decryption keys where users aren’t supposed to be able to find them.

This is a very brittle sort of security: if you send someone an email or a document that they can open on their own computer, on their own premises, nothing prevents that person from taking a screenshot or a photo of their screen that can then be forwarded, printed, or otherwise copied.

But that’s only the beginning of the problems with Gmail’s new built-in IRM. Indeed, the security properties of the system depend not on the tech, but instead on a Clinton-era copyright statute. Under Section 1201 of the 1998 Digital Millennium Copyright Act (“DMCA 1201”), making a commercial product that bypasses IRM is a potential felony, carrying a five-year prison sentence and a $500,000 fine for a first offense. DMCA 1201 is so broad and sloppily drafted that just revealing defects in Google IRM could land you in court.

We think that “security” products shouldn’t have to rely on the courts to enforce their supposed guarantees, but rather on technologies such as end-to-end encryption which provide actual mathematical assurances of confidentiality. We believe that using the term “Confidential Mode” for a feature that doesn’t provide confidentiality as that term is understood in infosec is misleading.

“Expiring” Messages

Similarly, we believe that Confidential Mode’s option to set an “expiration date” for sensitive emails could lead users to believe that their messages will completely disappear or self-destruct after the date they set. But the reality is more complicated. Also sometimes called “ephemeral” or “disappearing” messages, features like Confidential Mode’s “expiring” messages are not a privacy panacea. From a technical perspective, there are plenty of ways to get around expiring messages: a recipient could screenshot the message or take a picture of it before it expires.

But Google’s implementation has a further flaw. Contrary to what the “expiring” name might suggest, these messages actually continue to hang around long after their expiration date for instance, in your Sent folder. This Google “feature” eliminates one of the key security properties of ephemeral messaging: an assurance that in the normal course of business, an expired message will be irretrievable by either party. Because messages sent with Confidential Mode are still retrievable—by the sender and by Google—after the “expiration date,” we think that calling them expired is misleading.

If Google doesn’t already have that information, using the SMS passcode option effectively gives Google a new way to link two pieces of potentially identifying information: an email address and a phone number.

This “privacy” feature can be harmful to users with a need for private and secure communications, and could lead to unpleasant surprises for recipients who may not want their phone number exposed.

Not So Confidential

Ultimately, for the reasons we outlined above, in EFF’s opinion calling this new Gmail mode “confidential” is misleading. There is nothing confidential about unencrypted email in general and about Gmail’s new “Confidential Mode” in particular. While the new mode might make sense in narrow enterprise or company settings, it lacks the privacy guarantees and features to be considered a reliable secure communications option for most users.

Related Updates

On June 28, California enacted the Consumer Privacy Act (A.B. 375), a well-intentioned but flawed new law that seeks to protect the data privacy of technology users and others by imposing new rules on companies that gather, use, and share personal data. There's a lot to like about the...

Last month, 360 cyber crime experts from 95 countries gathered in Strasbourg to attend the Octopus Conference. The event sounds like something from James Bond, and when you look at the attendee list—which includes senior figures from the United States Department of Justice, national police forces across the...

August has just begun, and that means the start of the summer recess for Congress. During that recess, most members of Congress—specifically members of the House of Representatives—will be coming home. And that means that you have the opportunity to meet and talk to them without traveling to Washington...

Two reporters recently identified eight AT&T locations in the United States—towering, multi-story buildings—where NSA surveillance occurs on the backbone of the Internet. Their article showed how the agency taps into cables, routers, and switches that handle vast quantities of Internet traffic around the world. Published by The Intercept, the...

Brett Kavanaugh’s nomination has sparked a great deal of discussion about his views on reproductive rights and executive authority. But the Supreme Court tackles a broad range of issues, including the present and future of digital rights and innovation. As Congress plays its crucial constitutional role in scrutinizing judicial nominees...

The Kelsey Smith Act Would Force Cell Providers to Turn Private User Data Over to Law Enforcement Tragedies often bring political proposals that would do more harm than help—undermining our right to secure communications, for example, or our right to gather online. It is in these moments we...

When government agencies refuse to let the members of the public watch what they’re doing, drones can be a crucial journalistic tool. But now, some members of Congress want to give the federal government the power to destroy private drones it deems to be an undefined “threat.” Even worse, they’re...

The Trump Administration’s “zero tolerance” program of criminally prosecuting all undocumented adult immigrants who cross the U.S.-Mexico border has had the disastrous result of separating as many as 3,000 children—many no older than toddlers—from their parents and family members. The federal government doesn’t appear to have kept track...

Free WiFi all across New York City? It might sound like a dream to many New Yorkers, until the public learned that it wasn’t “free” at all. LinkNYC, a communications network that is replacing public pay phones with WiFi kiosks across New York City, is paid for by advertising that...